Posted by: David Harley | August 19, 2016

AV-Test on Android security apps

Davey Winder asks some interesting questions about AV-Test’s latest test of Android security apps. Is Android as easy to secure as the latest AV-TEST results appear to suggest?

A number of people, including ESET’s Mark James, attempt to answer those questions, but unfortunately the article boils them down to soundbites. Maybe I’ll come back to this one on the Anti-Malware Testing blog (where this short pointer article is also posted).

David Harley
ESET Senior Research Fellow

Posted by: David Harley | August 19, 2016

Marcher Trojan Impersonating Android Update

David Bisson for Graham Cluley’s blog on Marcher Trojan impersonating Android update: New firmware update? No, it’s the devious Marcher Android trojan up to no good – Android-based malware comes with new tricks, bells, and whistles.

Based on ZScaler research: Android Marcher: Continuously Evolving Mobile Malware.

Weird: the Cluley blog shows a toy soldier, where my first thought when I see the word ‘Marcher’ is of the nobility that used to guard the Welsh border. Maybe I should retire and write history books.

David Harley

Posted by: David Harley | August 19, 2016

Apteligent Evaluating Android

Apteligent report on ‘WHICH ANDROID MANUFACTURER PUSHES OS UPDATES THE FASTEST?’, Android device crash rates, device fragmentation…

Commentary by John Leyden for The Register: Two-speed Android update risk: Mobes face months-long wait = We need to outpace malware-flingers, securo folk warn

David Harley

Posted by: David Harley | August 10, 2016


Lengthy description/analysis of an interesting Android ransomware threat from McAfee: ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel.

I look forward to hearing commentary from Grumpy Cat. There is, however, no truth in rumours of a German language version known as BlackForestGato.

(Also posted to AVIEN, where I maintain a ransomware resource page.)

David Harley

Posted by: David Harley | August 5, 2016

Locking in iOS Jailbreakers

Paul Ducklin for Sophos: Apple rushes out iOS update, shuts out jailbreakers

Jailbreakers try to find and exploit iOS bugs, not to commit crimes but simply to liberate their iPhones from Apple’s “walled garden,” by which you are forced to shop at the App Store only […] As far as we know, no crooks were using Team Pangu’s hack, but a security hole is a security hole, leaving Apple little choice but to push out a patch.

David Harley

Posted by: David Harley | August 5, 2016

Apple’s Bug Bounty Programme

The Register: Apple joins the bug bounty party with $200,000 top prize – Cupertino will match bounties if hackers donate them to charity

Softpedia: Apple Announces Invite-Only Bug Bounty Program- Program expected to expand to all researchers later on


Rich Mogull: Thoughts on Apple’s Bug Bounty Program

David Harley

Posted by: David Harley | July 19, 2016

MacKeeper threatens young critic with a harassment suit

I haven’t checked out MacKeeper personally, but its name keeps coming up in various contexts, and not usually in a context that inspires confidence. And I can’t help but notice that many of the requests for advice I receive are from people using it.

Perhaps I should just repeat, more or less, something I said in an earlier blog:

The name has come up several times in comments directed towards Mac security sites like this one, Mac-related user forums and on various specialized lists, in the context of dubious malware alert pop-ups and aggressive marketing. I’ve never used or tested the product myself(and don’t intend to – as long as I’m getting a sizeable proportion of my income from a security product, I prefer not to return to formally testing other security products), I haven’t seen any of the behaviour of which the product is accused at first hand, and I obviously can’t in normal circumstances confirm the veracity or otherwise of accusations made in blog comments.

But apparently 14-year-old Luqman Wadood has been so outspoken that the company behind the product has threatened him with legal action over some videos he posted on YouTube.

Graham makes the very apposite point ‘I wonder if MacKeeper has ever heard of the Streisand effect?’ At any rate, there are a number of comments to his article at the moment that all seem to support Wadood’s position.

David Harley

Posted by: David Harley | July 15, 2016

Pokémon beGOne

[Also published on the AVIEN blog, slightly edited here.]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using theAndroid Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. Anyway, since the idea is already out there, it’s just as well to make (some) potential victims aware of the possibility. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

David Harley

Posted by: David Harley | July 8, 2016

Ransomware and a rumoured Apple ID breach

[Also published on the AVIEN blog, where I maintain a ransomware links/information resource]

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

David Harley

Posted by: David Harley | July 7, 2016

Sweet: Nougat offers a lockscreen security nugget

Graham Cluley describes How Android Nougat will help protect your password from ransomware – New condition will partially prevent unwanted Android lockscreen password resets.  The new OS upgrade will change the resetPassword API so that it can set a lockscreen password, but can’t reset it.

Which means that the new OS won’t stop malware setting the password if the user hasn’t already set one. Which sounds like a pretty good extra incentive to set one if you haven’t already. However, it looks as though it will also stop security software from disinfecting an upgraded phone if it becomes infected.

Nougat (Android 7.0) is scheduled to be rolled out later this year.

I’ve posted some odds and ends of information on how ransomware affects various platforms on an AVIEN blog page here: Ransomware: Affected Platforms & Devices

David Harley

Older Posts »



Get every new post delivered to your Inbox.

Join 61 other followers